Blogging safe again after WordPress scare

Security firm Sucuri first spotted the security flaw midweek, pinpointing the TwentyFifteen theme and JetPack plugin at the heart of the problem.

“Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons,” explains Securi’s blog.

“The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package.”

If exploited, it could allow hackers to seize total control of a site.

WordPress has now released a fix, and is encouraging its users to update to WordPress version 4.2.2 immediately.

“Any WordPress plugin or theme that includes this file is open to an attack,” the company wrote on its VaultPress blog. “We encourage everyone to head over to Dashboard → Updates in their WordPress dashboard, and click ‘Update Now’.